4f23a54b52
xen: Allow xenstored to map /proc/xen/xsd_kva
...
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2020-11-05 06:55:17 -05:00
14a45a594b
devices, filesystem, systemd, ntp: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:45:11 -04:00
785677771d
Merge pull request #313 from bootlin/buildroot-systemd-fixes
2020-10-09 09:42:40 -04:00
b5525a3fca
systemd: Move systemd-pstore block up in alphabetical order.
...
No rule change.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:42:31 -04:00
e9228b49bb
systemd: allow systemd-network to list the runtime directory
...
Fixes:
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
avc: denied { read } for pid=58 comm="systemd-network" name="/"
dev="tmpfs" ino=652 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
49a0771dd3
systemd: allow systemd-getty-generator to read and write unallocated ttys
...
Fixes:
avc: denied { read write } for pid=40 comm="systemd-getty-g"
name="ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { open } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=40 comm="systemd-getty-g"
path="/dev/ttyS0" dev="devtmpfs" ino=612 ioctlcmd=0x5401
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:tty_device_t tclass=chr_file permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-10-09 08:58:31 +02:00
f5c8a117d9
Add selinux-policy for systemd-pstore service
...
systemd-pstore is a service to archive contents of pstore.
Signed-off-by: Deepak Rawat <drawat.floss@gmail.com>
2020-10-09 03:20:09 +00:00
39e2af539d
corecommands, dbus, locallogin, logging, sysnetwork, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-22 08:27:05 -04:00
941620c89c
Merge pull request #309 from yizhao1/dhcpcd
2020-09-22 08:23:49 -04:00
fdda7befa5
systemd: allow systemd-resolve to read in tmpfs
...
Fixes:
avc: denied { read } for pid=76 comm="systemd-resolve" name="/"
dev="tmpfs" ino=651 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:var_run_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
34547434b8
systemd: allow systemd-network to get attributes of fs
...
Fixes:
avc: denied { getattr } for pid=57 comm="systemd-network" name="/"
dev="vda" ino=2 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:25:09 +02:00
1ee738f708
systemd: allow systemd-hwdb to search init runtime directories
...
Fixes:
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
avc: denied { search } for pid=54 comm="systemd-hwdb" name="systemd"
dev="tmpfs" ino=664 scontext=system_u:system_r:systemd_hw_t
tcontext=system_u:object_r:init_runtime_t tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
f71d288e54
systemd: add extra systemd_generator_t rules
...
Fixes:
avc: denied { setfscreate } for pid=41 comm="systemd-getty-g"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=process
permissive=1
avc: denied { dac_override } for pid=40 comm="systemd-fstab-g"
capability=1 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=capability
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-21 16:15:37 +02:00
25251b1f3b
sysnet: allow dhcpcd to create socket file
...
The dhcpcd needs to create socket file under /run/dhcpcd directory.
Fixes:
AVC avc: denied { create } for pid=331 comm="dhcpcd" name="eth0.sock"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { setattr } for pid=331 comm="dhcpcd"
name="eth0.sock" dev="tmpfs" ino=19153
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:dhcpc_runtime_t:s0 tclass=sock_file
permissive=0
AVC avc: denied { sendto } for pid=331 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=unix_dgram_socket permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-09-21 14:23:09 +08:00
23f1e4316b
sysnetwork: allow to read network configuration files
...
Fixes:
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=55 comm="systemd-udevd" name="network"
dev="vda" ino=128 scontext=system_u:system_r:udev_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { open } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
avc: denied { getattr } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { read } for pid=59 comm="systemd-network" name="network"
dev="vda" ino=128 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { open } for pid=59 comm="systemd-network"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { search } for pid=59 comm="systemd-network"
name="network" dev="vda" ino=128
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:net_conf_t tclass=dir permissive=1
avc: denied { getattr } for pid=55 comm="systemd-udevd"
path="/etc/systemd/network" dev="vda" ino=128
scontext=system_u:system_r:udev_t tcontext=system_u:object_r:net_conf_t
tclass=dir permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
5c604e806b
logging: allow systemd-journal to write messages to the audit socket
...
Fixes:
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
avc: denied { nlmsg_write } for pid=46 comm="systemd-journal"
scontext=system_u:system_r:syslogd_t
tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
8cb806fbdf
locallogin: allow login to get attributes of procfs
...
Fixes:
avc: denied { getattr } for pid=88 comm="login" name="/" dev="proc"
ino=1 scontext=system_u:system_r:local_login_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=1
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
7014af08ff
udev: allow udevadm to retrieve xattrs
...
Fixes:
avc: denied { getattr } for pid=50 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
avc: denied { getattr } for pid=52 comm="udevadm" name="/" dev="vda"
ino=2 scontext=system_u:system_r:udevadm_t
tcontext=system_u:object_r:fs_t tclass=filesystem permissive=0
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
2020-09-18 14:34:34 +02:00
c33866e1f6
selinux, init, systemd, rpm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-09-09 16:55:06 -04:00
24827d8073
selinux: add selinux_use_status_page and deprecate selinux_map_security_files
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-09 21:00:47 +02:00
1103350ee3
init/systemd: allow systemd to map the SELinux status page
...
systemd v247 will access the SELinux status page.
This affects all domains currently opening the label database, having
the permission seutil_read_file_contexts.
see https://github.com/systemd/systemd/pull/16821
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-09-08 13:18:18 +02:00
dcf7ae9f48
userdomain: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-31 15:36:14 -04:00
9d3321e4fe
userdomain.if: Marked usbguard user modify tunable as optional so usbguard may be excluded.
...
Thanks to Dominick Grift for helping me pin-point this.
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
2020-08-29 20:43:38 +00:00
72e221fd4d
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-28 15:30:52 -04:00
cc15ff2086
Merge pull request #302 from dsugar100/master
2020-08-28 15:26:50 -04:00
74b37e16db
Merge pull request #301 from bauen1/fix-selint-s-010
2020-08-28 15:26:47 -04:00
fa59d0e9bc
selint: fix S-010
...
Signed-off-by: bauen1 <j2468h@gmail.com>
2020-08-28 17:39:09 +02:00
1627ab361e
Looks like this got dropped in pull request #294
...
Seeing the following denial - adding back in:
localhost kernel: type=1400 audit(1598497795.109:57): avc: denied { map } for pid=1054 comm="modprobe" path="/usr/lib/modules/3.10.0-1127.19.1.el7.x86_64/modules.dep.bin" dev="dm-0" ino=23711 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2020-08-27 08:10:58 -04:00
d387e79989
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-18 09:09:10 -04:00
ab47695bdb
files, init, modutils, systemd, udev: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-14 09:38:09 -04:00
e10d956f38
Merge pull request #294 from cgzones/selint
2020-08-14 09:36:44 -04:00
8322f0e0d9
Remove duplicated rules
...
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2020-08-14 10:55:31 +08:00
09ed84b632
files/modutils: unify modules_object_t usage into files module
...
modutils.te: 50: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 51: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 52: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.te: 53: (W): No explicit declaration for modules_object_t from module files. You should access it via interface call or use a require block. (W-001)
modutils.if: 15: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.if: 52: (W): Definition of declared type modules_object_t not found in own module, but in module files (W-011)
modutils.fc: 24: (S): Type modules_object_t is declared in module files, but used in file context here. (S-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
e9b2e1ea4f
work on SELint issues
...
- selinuxutil.te: ignore gen_require usage for bool secure_mode
- corenetwork.te: ignore gen_require usage for type unlabeled_t
- files.if: drop unneeded required types in interface
- rpm.if: drop unneeded required type in interface
- xserver.if: ignore interface xserver_restricted_role calling template xserver_common_x_domain_template
- domain.te: add require block with explicit declaration for used type unlabeled_t from module kernel
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 21:23:43 +02:00
fbc60f2319
Merge pull request #296 from cgzones/diff-check
...
whitespace cleanup
2020-08-13 09:19:48 -04:00
72b2c66256
whitespace cleanup
...
Remove trailing white spaces and mixed up indents
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:34:57 +02:00
3bb507efa6
Fix several misspellings
...
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2020-08-13 14:08:58 +02:00
71e653980b
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-08-11 08:35:00 -04:00
cd141fa2ea
Merge pull request #290 from pebenito/fs-image
2020-08-11 08:33:26 -04:00
32b2332d36
Merge pull request #289 from pebenito/remove-unlabeled-file
2020-08-11 08:33:22 -04:00
777fe47c19
kernel, fstools, lvm, mount: Update to use filesystem image interfaces.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-29 14:33:39 -04:00
fe737c405d
selinuxuntil, userdomain: Restore relabelfrom access for unlabeled files.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-28 10:33:07 -04:00
4c7926a3c0
init: Revise init_startstop_service() build option blocks.
...
Revise to use ifelse to have a clear set of criteria for enabling the
various options. Additionally, if no options are enabled, run_init
permissions are provided as a default.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-07-27 11:40:36 -04:00
613708cad6
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-07-04 09:30:45 -04:00
0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
be04bb3e7e
Rename "pid" interfaces to "runtime" interfaces.
...
Rename interfaces to bring consistency with previous pid->runtime type
renaming. See PR #106 or 69a403cd
2020-06-28 14:33:17 -04:00
c63e5410a9
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-17 08:48:41 -04:00
c2a142d762
systemd: Merge generator domains.
...
If these processes are compromised they can write units to do malicious
actions, so trying to tightly protect the resources for each generator
is not effective.
Made the fstools_exec() optional, although it is unlikely that a system
would not have the module.
Only aliases for removed types in previous releases are added. The
systemd_unit_generator() interface and systemd_generator_type attribute
were not released and are dropped without deprecation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 09:47:20 -04:00
71002cdfe0
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-15 08:57:44 -04:00
91087f8ff1
Merge pull request #274 from bauen1/remove-dead-weight
2020-06-15 08:56:42 -04:00
Anthony PERARD
Chris PeBenito
Antoine Tenart
Deepak Rawat
Yi Zhao
Christian Göttsche
Jonathan Davies
bauen1
Dave Sugar
Chris PeBenito